I have a similar situation and found MuS's proposed solution to point me in the right direction. I was getting multi-valued fields for my uriprefix and discovered that `maxmatch=0
seemed to be causing that. So, changingmax_match=1` (the default) got me what I was looking for.
base_search | rex field=uri_path max_match=1 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix
sure it will not group anything, because there is no stats nor any other command which will do that. So if you take the updated search and add a stats to it will that match your needs?
your base search uri_path=/foo/* OR uri_path=/bar/* | rex field=uri_path max_match=0 "(?<uri_prefix>/[^/]+)" | stats count by uri_prefix
I can only try to help and try to lead you, but I cannot write a complete search because I don't have your data....
Then (based on your example, your just need first part of uri, '/foo' and '/bar'), try this.
your base search| rex field=uripath "^(?<uriprefix>.*)\/"| stats count by uri_prefix